discordrat | c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

Analysis

max time kernel
569s
max time network
558s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
29/03/2025, 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

release.zip
Size

445KB
MD5

06a4fcd5eb3a39d7f50a0709de9900db
SHA1

50d089e915f69313a5187569cda4e6dec2d55ca7
SHA256

c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97
SHA512

75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b
SSDEEP

12288:BfJ13+GoLo2d5ifXHE8134QwYOwFSFRiLQI:BKGo8EifSQwYWI

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxMTExNjM0MDgyNzkxODM4Ng.GZgp5J.D-isKVnBmQWnhDli2GHk0UlJkvseTfJnFrFBgY
server_id
1310835970563637248

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
2324	Client-built.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
87	api.gofile.io
88	api.gofile.io

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133876855292700037"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe1000000081b44d17eb94db017b28da3cf494db01e956fbf94aa0db0114000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\release.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2072	chrome.exe
2072	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2988	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeCreatePagefilePrivilege	2004	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2988	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 3468	2004	chrome.exe	85
PID 2004 wrote to memory of 3468	2004	chrome.exe	85
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 996	2004	chrome.exe	86
PID 2004 wrote to memory of 2744	2004	chrome.exe	87
PID 2004 wrote to memory of 2744	2004	chrome.exe	87
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88
PID 2004 wrote to memory of 6080	2004	chrome.exe	88

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\release.zip
1⤵
PID:2072

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3976

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd9f4bdcf8,0x7ffd9f4bdd04,0x7ffd9f4bdd10
  2⤵
  PID:3468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1912,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2204,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2216 /prefetch:11
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2356,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2372 /prefetch:13
  2⤵
  PID:6080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3244,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4036,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4144 /prefetch:9
  2⤵
  PID:5360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4596,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5256,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5240 /prefetch:14
  2⤵
  PID:5548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5408,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5652,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5588 /prefetch:14
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5588,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5776 /prefetch:14
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5816,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3192 /prefetch:14
  2⤵
  PID:3696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5796,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3640 /prefetch:14
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3600,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3664 /prefetch:14
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=1572,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5292,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3508 /prefetch:14
  2⤵
  - NTFS ADS
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5300,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4388 /prefetch:14
  2⤵
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3464,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5892 /prefetch:14
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3892,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3456 /prefetch:14
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5844,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4168 /prefetch:9
  2⤵
  PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5836,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5220 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4620,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3080 /prefetch:14
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=1924,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3080 /prefetch:1
  2⤵
  PID:5428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=4712,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6248 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=6324,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=4740,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6536 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=5888,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6440 /prefetch:1
  2⤵
  PID:5832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5964,i,16808003399759835418,8995761267144002014,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6376 /prefetch:14
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2988

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4700

C:\Users\Admin\Downloads\release\builder.exe
"C:\Users\Admin\Downloads\release\builder.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3200

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
dd92fa395ee66e1936d3191b0ddbf5ca

SHA1
adbc96e0a44b1f5c752174f521e6254a2c7c2437

SHA256
ae2b95b508a3fe61558c8f3f5603ad08be850ec81e61e83fbf59ac81c2eaf240

SHA512
f82f19711167902b1a39ba529e796b6dac24ff0f00d53969ec7b31fd2ce0e102628218358a7323c3a5e625a4b8c8630916304d44bfc3c53e258450b379904885

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
93f3bef0e905be66ee977b349abf3da0

SHA1
6ecd1f23bae85f0208bebec1811dd64b981faec4

SHA256
68032ef1c34d2ef427c6e52a12a4f5019d376b469bb695517c15705e96bd8533

SHA512
8e9463ba512d9066605cb7c4a352ff29c2bef1092162bce005b0c79c51a3c13ad3e31ce0369d3ccd7865e449c08f0d6946a9863a15caeb1fe7b7e023c4805d02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e4316fb911fc045cfc2635cc4615ea08

SHA1
720af55a768791e42a437f6e4350d85e69f476fa

SHA256
0e9ecacfc29132095425b60074ab22e19258c928accbcdb8e2826af9be3044cb

SHA512
a62bd6cc4d9f1a771db7b694f3444b18d82e4cb199f239cc711341946289457084b8febab08743936b2f6bd2395a5af0e9e20d3ebfbfd88f9c3d2b3e48b602cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
31d1a895290402c04d31e63e61725917

SHA1
0335ffe86d0391d51da36165dbdf26138de9fc21

SHA256
66fcc79a0476ca59a4182b287e8e94a8aff2f6513e9e951f48c53415a3f44b54

SHA512
839fc23a23861a16765d8d8c34b338078dfa9a6599c9a26cb655573b07f90801ead5d731b1feaf6dc98f0ec74123d8029615d0ed455618811b3e8398d2f3d43b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
6fe2c6c5338fe7967254d90c57e951bb

SHA1
1b04381fa79e4911392443490fcf054bda8abcdd

SHA256
b9bf0b2da5ef95af48f4a0fd08083b03f21d38007bb418d36975b63bea5e0a08

SHA512
dd5d090657415d032ba9f5798eb8c97bfdf9dbba93aee0f1e5868fe900e0a47021e1991b5ae6992bfbf0fa85187494a288535d2d20db6f828dfb9a3696e0a42e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
6da460424063b64ed66c441667a8032c

SHA1
b1f77decf958286180737bf5bf5fda3b6f91f5f1

SHA256
320d7bd09593cdf800a3e3f28445b3463497034c143a2cb13fbef50646fe624f

SHA512
ff2e982730ca448337f152e73f88ca1d9c3a12afdc67ebcb110603f75fb6451b54ae6a3f9d1158b0ba84496f3006a3fc7164fa318c3c0ada35c4388f13ec3264

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
3fcbb49c22e47e69e8bee9d5ffaa20f2

SHA1
b786c7e5a8a461b36cc417cfea0066b31b9af440

SHA256
0a79b9073d8954d9e21c6284c9f35e37b300c03012e3786d6f415849400fdd9f

SHA512
07a588690ba494cd42358a290e5a0255efe356cb4f94bdd23df4424d1104a515d9f3fb21f5ab990fef5e8563ceda4c3533d4581d9f3c1c02d4571c1b2b069f54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
006227b1f92f46c8530a0123887ffc76

SHA1
b21b73079af7c2c1a4cb08b29e5715367baa9d59

SHA256
9d5df5bbe7330e65574e169cb2232eb3f42132daa4da738338d01a65b17b01e1

SHA512
94393481f378ddff673d133748513580800828de1af969f639ccdada30dcc97c7f06e9f7b4bd4dd92a96e62b6a720e700570b5ada5ea9999f376f496f4550543

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
34beae344761257c4745071e6a9a5bad

SHA1
c7f142c9c01139b65ef74a3f394ab767e7226a45

SHA256
d2655bd8f82cc8e6d00bd4c42fce637a8069cfdfd861df1bdd6834ce455792a9

SHA512
a677fcd9aabbafce35cf13bed6f779461f0685488ccff79a72bf666d11bc6fb57af6b8eab3b159ab0ccbbc8124b519e19c10612006aab779be4b49efaec00a35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
21a9476d88e51fa0074ec233e707d785

SHA1
63419b49995d442556dadf782406bdaa140b5108

SHA256
51db6b646a248cdc6c491e50328b59882c0923372ee99a425d4cbba040c19654

SHA512
c55b9e47ffbd5b9387d373457c654dcae313e6fd8f70a40f8f84b0520b6fcf3b1182400e8a960661166d522fd17c65f4b5c7e28343f822d9f92a10894311b5a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
fb93fa6c99b46ee0dcbf961b9ef2e32a

SHA1
e629d6f7cdde20ccd46f22d83d625491e180f652

SHA256
ce5efb86f16afe78e773301763085990a6c7dbd189979a5bd4a3b21da8524b02

SHA512
5ed3c1f4eac508080741a50ef8781f743d1b4258ec621cd2aae930820cad7d9451681af1f81bc8684095011dbfbf43362bee3603e7dbbc6c0704847e17bb9f0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
07ca618b14b36adb8246ae53fb7451a7

SHA1
9fb74ae8da987ee33ab4b24fe93431c1e958457f

SHA256
e7868dd64ecc1b136ef4ad535be24e2b16e9c1d3097743217c8847b0b676b42d

SHA512
c1f96a23ef2ad155db24df4a9055897542ba70baa67f1409b81cfa02654e147d864fc7790abdbf39a63a590536cf3468856d4aabee6173207998a720bc3d6092

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
f12fc0fbb68ca63be6206679ba1961c2

SHA1
76e692843b25da8d8527af5119f37dda1897403b

SHA256
ca354bc7d19bfe6eab7021b782f0699de0f5136c233bb2903b1233bcd225e5c2

SHA512
3bf5c1f553de4d0784556906ab1a07eeaa1d00712bba7729550d2cc766cd8217d3910a22526fff925cc9b4ec88761ebed8c4222c53dc00eb6dd9f69ff7470b9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
1cb8dfbfb0e41c41a9622bd2f3c4015b

SHA1
824c468a3b99a45299801830e844e3136c581a13

SHA256
d6c90e6aa3095683a5b95246c48ad7ac1caca25db3e7b2e8648bb18fff77b385

SHA512
2ac2339e6da9f335381d4b6a9cc6d04a22319ccd721189f53aa517f7a474e4e69b1636ade2db60c0a0aee9cd5e2db242026aac065b9d385c5037a89e87585e64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
4a88a15454c01269decb643672647157

SHA1
b8f40b19326ecec77cf69cd91d552416fdc9fde9

SHA256
38a297356e64f2cea6e8677d14801c02e7d3a031fc1c96c1b20fb5ff33e0c0af

SHA512
e18252f67c4e24e17d03ecc390dbb6e8f5de8abe255f324ab84a6079d47b4f59e8d3e17651b03885e89f3a452b1a949fa46b0a585b4640455588be66c234b4be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe582517.TMP

Filesize
48B

MD5
4b77d2941b1a680ae51328b4c4fcc3bd

SHA1
53f5f3f6d8ddb9c6b8da9d45fc23cee94e9d7a42

SHA256
a56c3b95bade57856aff85c55b2285004e1767d79be957615fe58f0f7bad09e6

SHA512
3c5f11ad1f5c4ad400b0c174fb9e20b94b93488170d0c75f6449c60d25fdbfcb1933054e5e75530e4293c509dfedd060fa0c7c5e8e069eab34bebe7ca8e8e803

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
b9ae9bf80af7e3b37aaeccf7ac015012

SHA1
31c6a1f255522143d782493155b022e043a54cb5

SHA256
0c5fe8ee5a2fc82ba745f92b16add1f3a9b2e9d35c67e88d2169ed9aff3edc43

SHA512
79a55b7b42601bd33d7314127212a90c6d4875268aca37161da5d52c424dc79a175347b857dad7dfc33761bc7d5ad03a8eb9f198fc452ab263d0ac45af1346ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
4dab39656ef187cb1b603416e356c1a7

SHA1
19811dfe90f1f4d441521ffed675907b9f65f05d

SHA256
52851763e23d1e92b509e5239a8e73dbce3caf5f807e731517f0365849f7c92d

SHA512
14674b50a4e152084666754037417c66b5b75ff8d6909dba2ffb6e30df2a31addf7491b996a8520409d357096006cc793e890e7ac18f6f7369818093635e558b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
156KB

MD5
1dd5a0ae2b7acd946ea5f936028730de

SHA1
07b7896b30a7f13652c465ea9cd2784c05ca1354

SHA256
7626f65c67f8625e88f8c2e61730003a31b3646c2292841dd81ea98bce20e299

SHA512
926ca451ce7de921b7b902b4a195ea6a1482cf58074c789afe43e4172bc8cf0b710d22eee62e33466ae32eaddc3e2d2c415be4eb8ec76d0a9c898e832c8589b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
392c0b443f80f12a2a36cad3756f1350

SHA1
2c84d2f12f66e824e99a695a78ef0ee678262e9f

SHA256
930615685b5fa162b4b3b90afd3d9b2244c1c6134b3d61f7b1a3c0cad9b3eee3

SHA512
292be222bea18cf827d5f72aa92936d4f953ec2fd4b4d7e0006a74a9fdb2937d6a67074594ec5ce7804d498254223a82b96c5c5693da7b44e18919d7d4ae89e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2004_1525096196\d9ffdd94-2431-4294-bdeb-0c2fec33151e.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\Downloads\release.zip.crdownload

Filesize
445KB

MD5
06a4fcd5eb3a39d7f50a0709de9900db

SHA1
50d089e915f69313a5187569cda4e6dec2d55ca7

SHA256
c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

SHA512
75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b

Download Submit
C:\Users\Admin\Downloads\release.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\release\Client-built.exe

Filesize
78KB

MD5
298e1b4523578e03072ec6e3297dc7aa

SHA1
446f3a24ebbd691e547ebadb60fab2da8a33639d

SHA256
e88d475ed7abfc4f82562ce435ec2969cc66fef4645267c5ae205ad0066d5a73

SHA512
a25e9db70219d2c2a20cb610dd01cea3658e1751feb57e29570ad949e98a8738e50a89d609471836526438aedd2fec6537e19b63da796fcf2985ed5cdacb1b9c

Download Submit
memory/2324-835-0x00000157A0910000-0x00000157A0AD2000-memory.dmp

Filesize
1.8MB

Download
memory/2324-834-0x0000015786310000-0x0000015786328000-memory.dmp

Filesize
96KB

Download
memory/2324-836-0x00000157A1110000-0x00000157A1638000-memory.dmp

Filesize
5.2MB

Download
memory/3200-829-0x0000000001070000-0x0000000001192000-memory.dmp

Filesize
1.1MB

Download
memory/3200-782-0x0000000005390000-0x000000000539A000-memory.dmp

Filesize
40KB

Download
memory/3200-781-0x00000000051E0000-0x0000000005272000-memory.dmp

Filesize
584KB

Download
memory/3200-780-0x00000000056D0000-0x0000000005C76000-memory.dmp

Filesize
5.6MB

Download
memory/3200-779-0x0000000000730000-0x0000000000738000-memory.dmp

Filesize
32KB

Download